Samba authentication against Novell eDirectory

Henrik Nordstrom hno at
Sat Feb 5 23:07:25 GMT 2005

On Sat, 5 Feb 2005, schmieder, holger wrote:

> So far so good. The Problem is, that samba is authentication against the
> attribute sambaLMPassword. I can set that password with smbldap-passwd, but
> so i have two different passwords stored in NDS.

Welcome to the world of secure authentication ;-)

> I like now to use the original NDS-password and disable the 
> sambaLMPassword-attribute. I've played arround with pam an some settings 
> in smb.conf but samba only accepts this one attribute.

Problem is that Samba and NDS both stores the password one-way hashed, and 
needs different hash formats.  If you also want the directory to support 
Digest authentication then yet another password hash format is required.

There is basically only two options here to make a directory work with 
multiple authentication schemes

a) Make several password attributes in the directory and make sure the 
tools chaning the user password changes all of the attributes.

b) Have the directory store plain text passwords.

Approach 'a' is more secure, but requires the directory to support (at 
least to the level of password hashing) all the authentication models 

Approach 'b' is simpler and allows easy migration to new authentication 
models without forcing all users to change their password, but has obvious 
security drawbacks.


More information about the samba-technical mailing list